Five Preventable Breaches Make the Case for MFA Everywhere
Want to learn more about the preventable breaches? Check out this post where we look at common hack scenarios and how they can be prevented.
Join the DZone community and get the full member experience.Join For Free
It's true that today's connected customers are all about seamless multi-channel experiences, but that doesn't mean they're not paying attention to the security of the data they're sharing — they just expect security and convenience at the same time. Security breaches can ruin the reputation of your brand, erode your customers' trust, and increase the likelihood of customer churn. And, as the number of compromised records increases, so does the loss of revenue. The Ponemon Institute's 2018 Cost of a Data Breach Study highlights this correlation, which has held steady over the past few years:
Average Total Cost of Breach by Size of the Data Breach
You face a similar balancing act when it comes to employees. Security practices that they consider burdensome can often lead to decreased productivity, which also leads to lost revenue. According to a Dell-sponsored survey on the impact of security on business users, "91 percent said their productivity is negatively impacted by employer security measures."
So, what's a modern-day security practitioner to do?
Balancing security with customer convenience and employee productivity has never been an easy exercise. But, today's authentication solutions are capable of leveraging contextual factors about users and their devices in near real-time. This ability is disrupting the age-old balancing act and forming the basis for a zero trust security framework.
Simultaneously, the historical roadblocks to deploying security solutions, such as multi-factor authentication, have weakened due to the introduction of modern capabilities.
- Poor user experiences have been improved with the introduction of adaptive authentication, self-service capabilities, and phone-as-a-token authentication.
- Limited legacy support for integrating 2FA beyond VPN use cases has been replaced with out-of-the-box APIs, SDKs, and integration kits.
- Cost-prohibitive infrastructure and administration have been supplanted by cloud-delivered solutions, requiring minimal effort and oversight to run effectively.
The time you've been waiting for is here. Security's impact on the budget, IT resources, and user productivity has been minimized to the point that businesses can enable the right protection against the #1 enterprise attack vector, compromised credentials. This protection comes in the form of deploying multi-factor authentication (MFA) security everywhere.
Five Attack Scenarios, Five Reasons for MFA
MFA everywhere? Well, almost everywhere. The ways in which credentials are stolen are diverse. To illustrate the most common ways that credentials fall into the hands of bad actors, let's meet five personas, each of whom represents a common attack scenario.
Persona: The Eager Employee
Attack Vector: Phishing/Spear-Phishing
The war for talent is heating up, and companies are offering all sorts of perks to attract and retain employees. All they have to do is "sign in to receive the benefit." PhishMe's Enterprise Phishing Resiliency and Defense Report found that the "average phishing attack costs a mid-sized company $1.6 million," and that phishing attacks are up 65 percent YoY. The report lists some of the most common rewards-based scenarios employees fall for:
In the age of spear phishing, applications dealing in low-risk data can no longer be considered low risk. Consider your corporate Sharepoint or Google Sites, which often contain information surrounding rewards programs, employee satisfaction surveys, and bonus payout timelines. This information has been used time and time again in successful spear phishing attempts, recently affecting employees (and subsequently the constituents) of a major US county government:"Using e-mails disguised as pay-raise notifications, a sophisticated phishing scam duped the employees into giving up their login information, then used their official e-mail accounts and signatures to spread the attack to other contacts, according to county officials."
All of your applications, from the lowest to the highest risk, should be protected by a modern MFA solution. Operating under the assumption that credentials have already been stolen enables you to combat highly targeted spear phishing scams. And with a plethora of adaptive and contextual authentication policies available that allow you to enforce strong authentication only when things seem a bit...phishy, you can implement MFA on every application without materially impacting employee productivity.
Persona: The Astute Administrator
Attack Vector: SSH Attacks
Administrators with access to your server infrastructure are some of the most valuable targets in your organization for bad actors. Often, they're the second stop for a bad actor after they've compromised the credentials of an "eager employee." You've trained them to be highly aware of the broad threat landscape facing your organization, so they use secure methods to access critical infrastructure, such as logging in with Secure Shell (SSH) credentials. Unfortunately, a multitude of brute-force attacks, malware tools, and other approaches for compromising SSH credentials are widely available and in use today. In fact, Security Boulevard reports that a Chinese-based hacking group known as SSHPsychos "is so active in their brute-force attacks that at times they account for up to 35 percent of all SSH traffic on the Internet."
SSH client security has continued to increase in importance following the 2017 WikiLeaks documentation dump surrounding the existence of multiple CIA hacking tools designed to steal SSH credentials from Windows and Linux systems. Enforcing adaptive MFA policies for SSH logins through a pluggable authentication module or via ForceCommand are both proven methods of strengthening your protection for local and remote logins to Linux and Unix systems.
Persona: The Perilous Partner
Attack Vector: Many
Partnerships are an integral component of enterprise digital transformation efforts, often enabled by API integrations and application access via partner portals. Data and services available through these portals can vary wildly in sensitivity depending on the partnership's business purpose. Regardless of sensitivity, providing access to hundreds of third-party organizations to a range of internal data greatly expands your attack surface.
The risk profile of partner access is similar to that of insider attacks from employees, for which you've already prepared your organization. But your ability to establish similar controls to mitigate those risks is often limited. Regularly working with partners to ensure they maintain a security posture that meets your corporate requirements is one way to resolve this issue. But, it's difficult to scale and could introduce friction when onboarding new partners.
Instead, you need a way to ensure access is secure without involving your partners on a regular basis. By implementing a cloud-delivered adaptive MFA solution, you easily can allow partner employees to access resources using their own login credentials, while still maintaining a high standard for security. Modern solutions allow you to apply policies based on a network of access, group membership, device posture, and application accessed. Additionally, automated provisioning and de-provisioning of users whenever attributes are updated or a user is removed from the directory can greatly enhance your security posture while still allowing partners the access they need.
Consider the measures taken by a Swiss telecommunications company following the breach of a third-party sales partner, resulting in the theft of the contact details of 800,000 of its customers:"In response to the incident, [we've] introduced a number of systems to better protect personal data accessed by its partners:
- Access by partner companies will now be subject to tighter controls and any unusual activity will automatically trigger an alarm and block access.
- In the future, it will no longer be possible to run high-volume queries for all customer information in the systems.
- In addition, two-factor authentication will be introduced in 2018 for all data access required by sales partners."
Persona: The Looted (Unencrypted) Laptop
Attack Vector: Physical Security
There's never been a shortage of government and industry guidance for storing sensitive data.
45 CFR 164.312(e)(2)(ii)): "Implement a mechanism to encrypt electronic protected health information whenever deemed appropriate."
Section 501, GLBA " Financial institutions should employ encryption to mitigate the risk of disclosure or alteration of sensitive information in storage and transit."
Recital 83: "In order to maintain security and to prevent processing in infringement of this Regulation, the controller or processor should evaluate the risks inherent in the processing and implement measures to mitigate those risks, such as encryption."
Compliance and information security professionals exert a great deal of effort to ensure their organizations are compliant with these regulations by educating their users about the types of data which can and cannot be stored locally. And yet, employees still regularly store this data, unencrypted, on personal and corporate mobile devices, usually for reasons of convenience. When devices housing sensitive data are stolen and the theft results in a breach, the impact can be significant. The largest HIPAA settlement to date can be traced back to four stolen devices storing 4,000,000 patient records in plain text.
While companies must continue to provide guidance and education on how to store data securely, taking additional steps to secure employee devices should also become a priority for identity and security practitioners. Modern MFA solutions provide supported integrations with desktop and laptop login systems for exactly this purpose.
One concern that often arises with this use case is the need for an offline option in case the end user's device isn't connected to the Internet. The concern is a valid one, and when implementing MFA for this use case, an offline mode is essential. Watch the demo below to view the end-user experience of an offline MFA flow during Windows Login:
Persona: The Careless Consumer
Attack Vector: Account Takeover
Following the Equifax breach, millions of users scrambled to change their login credentials and answers to knowledge-based authentication (KBA) questions across a range of websites hosting their sensitive data.
Or, did they?
For the most part, no. Not even a breach of this size was impactful enough for global consumers to change their behavior. Unfortunately, credential reuse remains rampant today and the password is still not dead. As a result, hackers continue to take advantage of consumer nonchalance, using slow-paced credential cracking/stuffing attacks to avoid the rate limits of enterprise consumer authentication systems."According to ThreatMetrix data, thieves using stolen identity credentials to launch ATO attacks accounted for nearly 17 percent of all retail login attempts."
And, it gets worse. Consumers are highly reluctant to adopt multi-factor authentication as a solution to this problem. Almost seven years after Google introduced its free 2FA service, adoption remains below 10 percent of active users. The SANS Institute studied the reasons for this reluctance, the results of which are displayed below:
Overcoming this reluctance won't be easy. But if the most popular result from the SANS survey ("I was too busy to do it") holds true for the wider population, the remedy is simple. An attractive consumer MFA solution must increase security and convenience without adding to the time they spend on everyday digital interactions. Enticing consumers to sign up for MFA must include an explicit, non-security-related benefit.
Many enterprises are making these digital interactions more convenient by embedding MFA into their consumer-facing mobile applications. Out-of-band push authentication mechanisms (swipe, tap, biometrics) can easily replace a number of time-consuming processes, which, today, require a phone call or re-entering credentials. Password resets, customer service identity verification calls, and high-dollar transaction approvals are just a few examples where mobile push authentication can save a customer time and effort while improving security.
MFA Is a Head Start in the Race Against Hackers
The race is on to secure enterprise resources before hackers have a chance to breach them. Modern authentication solutions provide the means to secure the most common enterprise attack vectors without getting in the way of the employees, partners, and customers who need access. Identity and security professionals should consider all use cases that might require MFA now, and in the future, and then plan requirements for a solution based on the projected needs of their business. Comprehensive MFA deployment may also require the involvement of enterprise architects, many of whom are already working toward a centrally managed authentication authority.
Watch our recent webinar to learn about common requirements for deploying MFA everywhere. And when you're ready to begin assembling requirements for a solution, the MFA Buyer's Guide can help you make the right decision for your enterprise.
Published at DZone with permission of Andrew Goodman, DZone MVB. See the original article here.
Opinions expressed by DZone contributors are their own.